Platform based verification of contents of input-output devices

ABSTRACT

A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions.

BACKGROUND

Input-output devices such as universal serial bus (USB) flash drives,compact disk read-only memory (CD-ROM), pen drives are, unfortunately,being used as a common medium to spread malware/worms/viruses overenterprise networks and internet based networks. For example, commonviruses such as “Ravmon”, “Orkut is banned”, “New Folder. exe” arespreading through USB drives. Most of the Anti-virus programs availablein the market place are unable to detect them and even if the virusesare detected, the anti-virus programs are unable to delete the infectedfiles. The anti-virus programs may only quarantine the infected files.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention described herein is illustrated by way of example and notby way of limitation in the accompanying figures. For simplicity andclarity of illustration, elements illustrated in the figures are notnecessarily drawn to scale. For example, the dimensions of some elementsmay be exaggerated relative to other elements for clarity. Further,where considered appropriate, reference labels have been repeated amongthe figures to indicate corresponding or analogous elements.

FIG. 1 illustrates a platform 100, which supports a technique to verifythe contents of the I/O device in hardware before the contents areexposed to the operating system (OS) according to one embodiment.

FIG. 2 is a flow-chart illustrating a technique to verify the contentsof the I/O device in hardware before the contents are exposed to the OSaccording to one embodiment.

FIG. 3 illustrates an platform based architecture, which may support atechnique to verify the contents of the I/O device in the hardwarebefore the contents are exposed to the OS according to one embodiment.

FIG. 4 is a flow-chart illustrating a technique in which components ofFIG. 3 together verify the contents of the I/O device before thecontents are exposed to the OS according to one embodiment.

FIG. 5 illustrates a system 500, which supports verification of thecontents of the I/O device before the contents are exposed to the OSaccording to one embodiment.

DETAILED DESCRIPTION

The following description describes embodiments of a platform basedverification of the contents of the I/O devices. In the followingdescription, numerous specific details such as logic implementations,resource partitioning, or sharing, or duplication implementations, typesand interrelationships of system components, and logic partitioning orintegration choices are set forth in order to provide a more thoroughunderstanding of the present invention. It will be appreciated, however,by one skilled in the art that the invention may be practiced withoutsuch specific details. In other instances, control structures, gatelevel circuits, and full software instruction sequences have not beenshown in detail in order not to obscure the invention. Those of ordinaryskill in the art, with the included descriptions, will be able toimplement appropriate functionality without undue experimentation.

References in the specification to “one embodiment”, “an embodiment”,“an example embodiment”, indicate that the embodiment described mayinclude a particular feature, structure, or characteristic, but everyembodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to affect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

Embodiments of the invention may be implemented in hardware, firmware,software, or any combination thereof. Embodiments of the invention mayalso be implemented as instructions stored on a machine-readable medium,which may be read and executed by one or more processors. Amachine-readable medium may include any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputing device).

For example, a machine-readable medium may include read only memory(ROM); random access memory (RAM); magnetic disk storage media; opticalstorage media; flash memory devices; electrical, optical, acoustical orother similar signals. Further, firmware, software, routines, andinstructions may be described herein as performing certain actions.However, it should be appreciated that such descriptions are merely forconvenience and that such actions in fact result from computing devices,processors, controllers, and other devices executing the firmware,software, routines, and instructions.

In one embodiment, the platform 100 may comprise applications 110, ahost operating system (OS) 120, a platform hardware 150, and I/O devices190. In one embodiment, the applications 110 may comprise one or moreapplications supported by the host OS 120 and the platform hardware 150.

In one embodiment, the platform hardware 150 may comprise one or moreprocessing cores, chipset, memory, and such other similar hardwarecomponents. In one embodiment, the platform hardware 150 may supportcomponents such as a firmware, manageability engine (ME) and virtualizerengine (VE). In one embodiment, the platform hardware 150 may verify thecontents of the I/O device 190-N even before the contents are exposed tothe host OS 120 in response to receiving an interrupt from an I/O device190-N. In one embodiment, the OS independent hardware based verificationprocess may avoid the platform 100 from being infected by the malware orvirus. In one embodiment, the verification of the contents of the I/Odevices may be applicable to legacy I/O devices and the verificationprocess may also provide better user experience.

An embodiment of the operation of the platform 100, which may verify thecontents of the I/O device before the contents are exposed to the hostOS 120 is illustrated in flow-chart of FIG. 2.

In block 210, the platform hardware 150 may receive an interrupt from anI/O device such as the I/O device 190-N and control passes to block 250in response to receiving the interrupt. In one embodiment, the interruptmay be generated in response to an input-output device 190-N such as aUSB drive or a pen drive plugged into the platform 100.

In block 250, the platform hardware 150 may verify the contents of theI/O device 190-N even before the contents of the I/O device 190-N areexposed to the host OS 120. In one embodiment, the platform hardware 150may detect infected portions of the contents of the I/O device 190-N ifthe contents comprise infected portions.

In block 280, the platform hardware 150 may alert a user or delete theinfected portions of the contents of the I/O device 190-N, if any, evenbefore the infected portions affect the platform 100.

An embodiment of a platform architecture 300 comprising hardware orfirmware components that enable verification of the contents of an I/Odevice before the contents are exposed to the host OS is illustrated inFIG. 3. In one embodiment, the host OS 120 may support a local AV agent315 and a host interface 316. In one embodiment, the platform hardware150 may include a central processing unit 320 and chipset 325, which maysupport a platform control hub (PCH) 330. In other embodiment, thechipset 325 may support a local AV interface 315 in which case the hostOS 120 may not comprise the local AV interface 315.

In one embodiment, the CPU 320 may support the host OS 120. In oneembodiment, the platform controller hub PCH 330 may comprise amanageability engine ME 340, a virtualizer engine VE 350, and an I/Ocontroller 360.

In one embodiment, the I/O controller 360 may receive an interruptsignal after the I/O device 190-N is coupled to the platform 300. In oneembodiment, the I/O controller 360 may provide interrupt information tothe virtualizer engine VE 350. In one embodiment, the I/O controller 360may receive an interrupt from a USB based I/O device and may provide theinterrupt information based on, for example, extended host commandinterface (EHCI) standards.

In one embodiment, the virtualizer engine VE 350 may comprise avirtualizer engine (VE) controller 354 and a virtualizer engine (VE)interface 355. In one embodiment, the VE interface 355 may supportexchange of information between the VE 350 and the I/O controller 360.In one embodiment, the VE interface 355 may receive an interrupt signalfrom the I/O controller 360 and may pass information of the interruptsignal to the VE controller 354. In one embodiment, the VE interface 355may receive scanning request from the VE controller 354 in response tosending the interrupt signal and may forward the scanning request to theME 340. In one embodiment, the VE interface 355 may use interfaces suchas manageability engine command interface (MECI) to support MECIconnection to the ME 340 and an extended host command interface (EHCI)to support EHCI connection to the I/O controller 360.

In one embodiment, the VE controller 354 may support drivers that allowthe VE controller 354 to generate the scanning request for initiating ahardware based scanning of the contents of the I/O device 190-N. In oneembodiment, the VE controller 354 may generate a hardware based scanningrequest based on the interruption signal received from the VE interface355. In one embodiment, the scanning request may allow a user of theplatform to provide inputs on whether the scanning of the contents ofthe I/O device 190-N is to be performed. In one embodiment, the VEcontroller 354 may send the scanning request to the VE interface 355.

In one embodiment, the manageability engine ME 340 may comprise MEinterface 341, ME controller 342, compression block 343, file systemblock 345, and out-of-band (OOB) 348. In one embodiment, the MEinterface 341 may support exchange of information with the VE 350 andthe local AV agent 315, which may be provisioned either in a host OS 120or within the platform hardware 130. In one embodiment, the ME interface341 may receive scanning request and forward the scanning request to theME controller 342. In one embodiment, the ME interface 341 may receivecontents of the I/O device 190-N after the ME controller 342 issues acommand to retrieve the contents and may pass the contents to the MEcontroller 342. In one embodiment, the ME interface 341 may supportinterfaces such as manageability engine command interface (MECI) tosupport a MECI connection to the VE 350 and host embedded controlinterface (HECI) to support a HECI connection to the host OS 120. In oneembodiment, the ME interface 341 may also support proprietary protocolsto support communication between the local AV agent 315 and the ME 340if the local AV agent 315 is provisioned within the platform hardware130.

In one embodiment, the ME controller 342 may forward the scanningrequest to a user via user interface UI 305. In one embodiment, the MEcontroller 342 may use UI 305 to receive user inputs such as a grantsignal for verification of the contents of the I/O device 190-N from auser in response to the scanning request. In one embodiment, the MEcontroller 342 may retrieve contents of the I/O device 190-N forverification based on the user input. In one embodiment, the MEcontroller 342 may use EHCI driver supported by the VE controller 354 toretrieve the contents of the USB type I/O device 190-N. In oneembodiment, the ME controller 342 may store the contents of the I/Odevice 190-N in a file system block 345. In one embodiment, the filesystem block 345 may support file allocation table (FAT-32) format andthe contents of the I/O device 190-N may be stored on a per-file basis.In one embodiment, the ME controller 342 may generate hash of each fileof the I/O device 190-N.

In one embodiment, ME controller 342 may send the contents of the I/Odevice 190-N to the local AV agent 315 or to a remote console 390 forverification. In one embodiment, the ME controller 342 may send the hashvalues to the local AV agent 315 if the ME controller 342 uses the localAV agent 315 for verification of the contents of the I/O device 190-N.While using remote verification process, in one embodiment, the MEcontroller 342 may compress the contents of the I/O device 190-N usingthe compression block 343 to conserve network bandwidth. In oneembodiment, the compression block 343 may use compression algorithmssuch as Lempel-ziv LZ1, LZ2 algorithms or any other lossy or losslessalgorithms, for example. In one embodiment, the ME controller 342 maysend the compressed contents to the out-of-band communication block OOB348 via the ME interface 341. In one embodiment, the OOB 348 may useout-of-band signaling mechanism to send the compressed contents to theAV application/service 395 supported by the remote console 390.

In one embodiment, the ME controller 342 may receive the results ofverification and may alert the user if the verification results indicatepresence of infected portions in the contents of the I/O device 190-N.In one embodiment, the ME controller 342 may receive a log of theinfected portions of the contents from one of the local AV agent 315 orAV application/service 395. In one embodiment, the ME controller 342 mayinitiate deletion process in which the infected portions of the contentsof the I/O device 190-N may be deleted. In one embodiment, the MEcontroller 342 may provide the information of the infected portions theuser or host OS 120.

In one embodiment, the host OS 120 may support a local anti-virus (AV)agent 315 and a host interface 316. In one embodiment, the hostinterface 316 may support, for example, HECI interface to provide a HECIconnection to the platform hardware 130. In one embodiment, the local AVagent 315 may receive contents of the I/O device 190-N from the platformcontroller hub PCH 330 over the HECI connection and may process thecontents of the I/O device 190-N to detect presence of infectedportions. In one embodiment, the local AV agent 315 may detect presenceof viruses, malware, or worms (infected portions) in the contents andmay provide such information of the infected portions to the ME 340 overHECI connection. In one embodiment, the local AV agent 135 may scan thecontents and provide results to PCH 330 before the PCH 330 may exposethe I/O device 190-N such as a USB device to host OS 120 for auto-play.

In other embodiment, the local AV agent 315 may be supported by achipset provisioned within the platform hardware 130. In such a case,the local AV agent 315 may receive the contents of the I/O device 190-Nover proprietary communication medium and detect the presence ofinfected portions. In one embodiment, the local AV agent 315 may detectpresence of viruses, malware, or worms (infected portions) in thecontents and may provide such information of the infected portions tothe ME 340 over proprietary connection. In one embodiment, the local AVagent 135 supported by the PCH 330 may scan the contents and provideresults to ME 340. In one embodiment, such an approach may avoidtransfer of contents of the I/O device 190-N over the HECI connection.

In one embodiment, the remote console 390 may comprise AVapplication/services 395, which may uncompress the compressed contentsbefore performing a anti-virus scan. In one embodiment, the AVapplication/services 395 may verify the contents and send a log of theinfected portions to the ME 340 if the AV applications/services 395detect presence of the infected portions.

A flow-chart illustrating the operation of the platform components ofFIG. 3 to verify the contents of the I/O device 190-N before thecontents are exposed to the host OS 120 is illustrated in flow-chart ofFIG. 4.

In block 410, the I/O controller 360 may receive an interrupt from anI/O device such as the I/O device 190-N and may pass the interruptsignal to the VE 350.

In block 420, the VE controller 354 may send a request to the host OS120 or a user using UI 305 for a hardware based scanning of the contentsof the I/O device 190-N. In block 430, the ME controller 342 mayretrieve the contents of the I/O device 190-N using a driver supportedby the VE controller 354 if the user selects to scan the contents of theI/O device 190-N.

In block 450, the ME controller 342 may send the contents of the I/Odevice 190-N to the local AV agent 315 or the AV application/service 395of the remote console 390.

In block 460, the local AV agent 315 or the AV application/service 395may verify the contents of the I/O device 190-N for presence of infectedportions. In one embodiment, the local AV agent 315 or the AVapplication/service 395 may generate information (or a log), which maycomprise indications of the infected portions of the contents of I/Odevice 190-N.

In block 470, the local AV agent 315 or the AV application/service 395may provide information (or a log) to the ME 340.

In block 480, the ME controller 342 may alert the user and then deletethe infected portions even before the infected portions are exposed tothe operating system. In one embodiment, the ME controller 342 maydelete the infected portions after receiving the information, which mayindicate the presence of infected portions in the contents of the I/Odevice 190-N.

Referring to FIG. 5, a computer system 500 may include a general purposeprocessor 502 including a single instruction multiple data (SIMD)processor and a graphics processor unit (GPU) 505. The processor 502, inone embodiment, may perform enhancement operations in addition toperforming various other tasks or store a sequence of instructions, toprovide enhancement operations in a machine readable storage medium 525.However, the sequence of instructions may also be stored in the memory520 or in any other suitable storage medium.

While a separate graphics processor unit 505 is depicted in FIG. 5, insome embodiments, the graphics processor unit 505 may be used to performenhancement operations, as another example. The processor 502 thatoperates the computer system 500 may be one or more processor corescoupled to logic 530. The logic 530 may be coupled to one or more I/Odevices 560, which may provide interface the computer system 500. Thelogic 530, for example, could be chipset logic in one embodiment. Thelogic 530 is coupled to the memory 520, which can be any kind ofstorage, including optical, magnetic, or semiconductor storage. Thegraphics processor unit 505 is coupled through a frame buffer 510 to adisplay 540.

The logic 530 may support manageability engine ME 532 and virtualizerengine VE 536. In one embodiment, the ME 532 may be similar to the ME342 described with reference to FIG. 3 above and VE 536 may be similarto the VE 354 described with reference to FIG. 3 above. In oneembodiment the logic 530 may receive an interrupt from an I/O devicesuch as the I/O device 550-2 and initiate the VE 536. In one embodiment,the interrupt may be generated in response to an I/O device 550-2 suchas a USB drive or a pen drive plugged into the computer system 500.

In one embodiment, the ME 532 and VE 536 may cause the contents of theI/O device 550-2 to be verified even before the contents of the I/Odevice 550-2 are exposed to the host OS 503 supported by the processor502. In one embodiment, the local AV agent 504 or an agent supported bythe remote console 580 may detect infected portion of the contents ifthe contents are infected. In one embodiment, the agent of the remoteconsole 580 may be used by sending the contents to the agent using thenetwork 570. In one embodiment, the computer system 500 may be coupledto the network 570 using the network interface 560. In one embodiment,the ME 532 may alert a user or delete the infected portions of thecontents of the I/O device 550-2 after detecting any infected portion inthe contents.

Certain features of the invention have been described with reference toexample embodiments. However, the description is not intended to beconstrued in a limiting sense. Various modifications of the exampleembodiments, as well as other embodiments of the invention, which areapparent to persons skilled in the art to which the invention pertainsare deemed to lie within the spirit and scope of the invention.

1. A method to verify contents of an input-output (I/O) device in acomputing system comprising: verifying the contents of the I/O deviceusing hardware components before the contents of the I/O device areexposed to an operating system for auto-play.
 2. The method of claim 1comprises sending a request for hardware based scanning of the contentsof the I/O device in response to receiving an interrupt from the I/Odevice.
 3. The method of claim 2, wherein the contents of the I/O deviceare provided to a local anti-virus agent after receiving a grant signalto the request, wherein the operating system is to support the localanti-virus agent.
 4. The method of claim 2, wherein the contents of theI/O device are provided to a local anti-virus agent after receiving agrant signal to the request, wherein the hardware components is tosupport the local anti-virus agent.
 5. The method of claim 3 furthercomprises storing the contents of the I/O device based on a fileallocation table FAT-32 format.
 6. The method of claim 2 furthercomprises receiving information from the local anti-virus agent, whereinthe information indicates infected portions of the contents of the I/Odevice.
 7. The method of claim 6 further comprises deleting the infectedportion even before the infected portions are exposed to the operatingsystem.
 8. The method of claim 2, wherein the contents of the I/O deviceare provided to an agent supported by a remote console, wherein anout-of-band communication technique is used to provide the contents tothe agent supported by the remote console.
 9. The method of claim 6comprises, storing the contents of the I/O device based on a fileallocation table FAT-32 format, and compressing the contents of the I/Odevice stored in the FAT-32 format.
 10. The method of claim 8 furthercomprises receiving information from the agent supported by the remoteconsole, wherein the information indicates infected portions of thecontents of the I/O device.
 11. The method of claim 10 further comprisesdeleting the infected portions even before the infected portions areexposed to the operating system.
 12. An apparatus to verify contents ofan input-output (I/O) device comprising: a platform hardware coupled tothe I/O device, wherein the platform hardware is to verify the contentsof the I/O device before the contents of the I/O device are exposed toan operating system for an auto-play.
 13. The apparatus of claim 12, theplatform hardware further comprises, an input-output controller coupledto the I/O device, wherein the input-output controller is to provide aninterrupt signal in response to receiving an interrupt in response tothe I/O device being plugged in, and a virtualizer engine coupled to theinput-output controller, wherein the virtualizer engine is to send arequest for a hardware based scanning of the contents of the I/O devicein response to receiving the interrupt signal.
 14. The apparatus ofclaim 13, the platform hardware further comprises a manageability enginecoupled to the virtualizer engine, wherein the manageability engineincludes a manageability engine controller, wherein the manageabilityengine controller is to provide the contents of the I/O device to alocal anti-virus agent supported by the operating system in response toreceiving a grant signal to the request.
 15. The apparatus of claim 13,the platform hardware further comprises a manageability engine coupledto the virtualizer engine, wherein the manageability engine includes amanageability engine controller, wherein the manageability enginecontroller is to provide the contents of the I/O device to a localanti-virus agent supported by the platform hardware in response toreceiving a grant signal to the request.
 16. The apparatus of claim 14,wherein the manageability engine controller is to store the contents ofthe I/O device based on a file allocation table FAT-32 format.
 17. Theapparatus of claim 14, wherein the manageability engine controller is toreceive information from the local anti-virus agent, wherein theinformation is to indicate infected portions of the contents of the I/Odevice.
 18. The apparatus of claim 17, wherein the manageability enginecontroller is to delete the infected portions even before the infectedportions are exposed to the operating system.
 19. The apparatus of claim14, wherein the manageability engine controller is to provide thecontents of the I/O device to an agent supported by a remote console,wherein the manageability engine controller is to use an out-of-bandcommunication technique to provide the contents to the agent supportedby the remote console.
 20. The apparatus of claim 17, wherein themanageability engine controller is to, store the contents of the I/Odevice based on a file allocation table FAT-32 format, and initiatecompression of the contents of the I/O device stored in the FAT-32format.
 21. The apparatus of claim 19, wherein the manageability enginecontroller is to receive information from the agent supported by theremote console, wherein the information is to indicate infected portionsof the contents of the I/O device.
 22. The apparatus of claim 21,wherein the manageability engine controller is to delete the infectedportions from the contents even before the infected portions are exposedto the operating system.